You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@spamassassin.apache.org on 2021/10/21 00:27:11 UTC

[Bug 7937] New: T_DOC_ATTACH_NO_EXT flaw in logic?

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7937

            Bug ID: 7937
           Summary: T_DOC_ATTACH_NO_EXT flaw in logic?
           Product: Spamassassin
           Version: unspecified
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Rules
          Assignee: dev@spamassassin.apache.org
          Reporter: alek@theatticnetwork.net
  Target Milestone: Undefined

Hey there

We are seeing a high rate of detections against the T_DOC_ATTACH_NO_EXT test
which looks like so

T_DOC_ATTACH_NO_EXT   __ATTACH_NAME_NO_EXT && (__PDF_ATTACH || __DOC_ATTACH_MT)

The logic here I don't think is quite right its saying: 

If there is no attachment extension AND its a PDF or Document - then fire

However, the behavior we are seeing in production is:

There is an email with multiple attachments say 5 attachments
4 images (thanks email signatures :( ) with no extensions and 1 PDF file
The test is triggering because the image files don't have a extension. 

I believe the logic should be: 
(__ATTACH_NAME_NO_EXT && (__PDF_ATTACH || __DOC_ATTACH_MT))
To tie the missing extension to the detection of the PDF and Document clause. 

I don't know the logic well enough to confirm if this is legal in the language
but.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7937] T_DOC_ATTACH_NO_EXT flaw in logic?

Posted by bu...@spamassassin.apache.org.

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7937

Bill Cole <bi...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |billcole@apache.org
         Resolution|---                         |WONTFIX
             Status|NEW                         |RESOLVED

--- Comment #1 from Bill Cole <bi...@apache.org> ---
There is no way to bind the 3 detections to the same attachment. The addition
of parentheses would have no effect. 

Because the rule is a test rule (name begins with T_) it scores a meaningless
0.01 by default, and because it has not proven to be useful in the rule QA
process it is not being rescored into relevance. 

As the score is too low to be causing misclassifications, I don't see any
compelling reason to remove the rule.

-- 
You are receiving this mail because:
You are the assignee for the bug.